09-10-2007 06:50 PM - edited 03-11-2019 04:09 AM
I have static nat on inside to the VPN so that internal clients can access the VPN. The problen is that VPN clients and L2L conections cannot access the dmz. Any thoughts?
09-10-2007 10:02 PM
You probably have something like this in your config:
access-list nonat permit ip
nat (inside) 0 access-list nonat
This stops your VPN traffic from being NAT'd so that it'll match your crypto access-list correctly. This is only doing it for traffic coming from the inside interface though. For VPN users to get to the DMZ interface you need the same sort of thing like this:
access-list nonatdmz permit ip
nat (dmz) 0 access-list nonatdmz
09-11-2007 03:32 AM
Is the Static (dmz, inside) statemnet still going to screw me up? I still need internal/vpn clients to use an internal address for the dmz server.
09-11-2007 04:53 AM
Mike,
No it will not. As Glenn has posted, you can use nat exemption for the dmz to vpn clients. This is first in the nat order of operations and will not affect your (dmz,inside) destination nat.
09-11-2007 11:09 AM
Thank you both. i will try this in my lab.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: